CVE-2026-48962

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

27/05/2026

Last modified:

27/05/2026

Description

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob.<br /> <br /> _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl.<br /> <br /> Arbitrary Perl in the output glob executes at the calling process&#39;s privilege.

Impact

References to Advisories, Solutions, and Tools

https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch
https://metacpan.org/release/PMQS/IO-Compress-2.220/changes
http://www.openwall.com/lists/oss-security/2026/05/27/4